From 8dca1444594ebc8dab5dd0266563f68322b97a47 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Wed, 24 Jan 2024 15:24:06 -0800 Subject: [PATCH 1/6] Remove default admin credentials Signed-off-by: Ryan Bogan --- .github/workflows/test_security.yml | 2 +- build.gradle | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test_security.yml b/.github/workflows/test_security.yml index 783b4399c..572234166 100644 --- a/.github/workflows/test_security.yml +++ b/.github/workflows/test_security.yml @@ -56,4 +56,4 @@ jobs: # switching the user, as OpenSearch cluster can only be started as root/Administrator on linux-deb/linux-rpm/windows-zip. run: | chown -R 1000:1000 `pwd` - su `id -un 1000` -c "whoami && java -version && ./gradlew integTest -Dsecurity.enabled=true" + su `id -un 1000` -c "whoami && java -version && ./gradlew integTest -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123!" diff --git a/build.gradle b/build.gradle index a0dae2559..4bdf373ac 100644 --- a/build.gradle +++ b/build.gradle @@ -93,9 +93,9 @@ ext { cluster.getNodes().forEach { node -> var creds = node.getCredentials() if (creds.isEmpty()) { - creds.add(Map.of('username', 'admin', 'password', 'admin')) + creds.add(Map.of('username', 'admin', 'password', 'myStrongPassword123!')) } else { - creds.get(0).putAll(Map.of('username', 'admin', 'password', 'admin')) + creds.get(0).putAll(Map.of('username', 'admin', 'password', 'myStrongPassword123!')) } } @@ -336,12 +336,7 @@ integTest { var is_https = System.getProperty("https") var user = System.getProperty("user") var password = System.getProperty("password") - if (System.getProperty("security.enabled") != null) { - // If security is enabled, set is_https/user/password defaults - is_https = is_https == null ? "true" : is_https - user = user == null ? "admin" : user - password = password == null ? "admin" : password - } + systemProperty("https", is_https) systemProperty("user", user) systemProperty("password", password) From e5e2f3999815c84ce82da3970224578eb7805479 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Wed, 24 Jan 2024 15:37:38 -0800 Subject: [PATCH 2/6] Update developer guide Signed-off-by: Ryan Bogan --- DEVELOPER_GUIDE.md | 30 ++---------------------------- build.gradle | 7 +++++++ 2 files changed, 9 insertions(+), 28 deletions(-) diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index a62437a8b..cdb316d9c 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -274,33 +274,7 @@ curl localhost:9200 Additionally, it is also possible to run a cluster with security enabled: ```shell script -./gradlew run -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=admin -``` - -By default, if `-Dsecurity.enabled=true` is passed the following defaults will be used: `https=true`, `user=admin` and -`password=admin`. - -Then, to access the cluster, we can run -```bash -curl https://localhost:9200 --insecure -u admin:admin - -{ - "name" : "integTest-0", - "cluster_name" : "integTest", - "cluster_uuid" : "kLsNk4JDTMyp1yQRqog-3g", - "version" : { - "distribution" : "opensearch", - "number" : "3.0.0-SNAPSHOT", - "build_type" : "tar", - "build_hash" : "9d85e566894ef53e5f2093618b3d455e4d0a04ce", - "build_date" : "2023-10-30T18:34:06.996519Z", - "build_snapshot" : true, - "lucene_version" : "9.8.0", - "minimum_wire_compatibility_version" : "2.12.0", - "minimum_index_compatibility_version" : "2.0.0" - }, - "tagline" : "The OpenSearch Project: https://opensearch.org/" -} +./gradlew run -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123! ``` ### Run Multi-node Cluster Locally @@ -331,7 +305,7 @@ Integration tests can be run with remote cluster. For that run the following com In case remote cluster is secured it's possible to pass username and password with the following command: ``` -./gradlew :integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="integTest-0" -Dhttps=true -Duser=admin -Dpassword=admin +./gradlew :integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="integTest-0" -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123! ``` ### Debugging diff --git a/build.gradle b/build.gradle index 4bdf373ac..26a6db876 100644 --- a/build.gradle +++ b/build.gradle @@ -337,6 +337,13 @@ integTest { var user = System.getProperty("user") var password = System.getProperty("password") + if (System.getProperty("security.enabled") != null) { + // If security is enabled, set is_https/user/password defaults + is_https = is_https == null ? "true" : is_https + user = user == null ? "admin" : user + password = password == null ? "myStrongPassword123!" : password + } + systemProperty("https", is_https) systemProperty("user", user) systemProperty("password", password) From e6a01eb505b295df4b32e899688d2d9588d65193 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Wed, 24 Jan 2024 15:57:43 -0800 Subject: [PATCH 3/6] Debug Signed-off-by: Ryan Bogan --- .github/workflows/test_security.yml | 2 +- build.gradle | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test_security.yml b/.github/workflows/test_security.yml index 572234166..783b4399c 100644 --- a/.github/workflows/test_security.yml +++ b/.github/workflows/test_security.yml @@ -56,4 +56,4 @@ jobs: # switching the user, as OpenSearch cluster can only be started as root/Administrator on linux-deb/linux-rpm/windows-zip. run: | chown -R 1000:1000 `pwd` - su `id -un 1000` -c "whoami && java -version && ./gradlew integTest -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123!" + su `id -un 1000` -c "whoami && java -version && ./gradlew integTest -Dsecurity.enabled=true" diff --git a/build.gradle b/build.gradle index 26a6db876..6a3a31ad6 100644 --- a/build.gradle +++ b/build.gradle @@ -17,6 +17,7 @@ buildscript { version_qualifier = System.getProperty("build.version_qualifier", "") opensearch_group = "org.opensearch" isSnapshot = "true" == System.getProperty("build.snapshot", "true") + System.setProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "myStrongPassword123!") version_tokens = opensearch_version.tokenize('-') opensearch_build = version_tokens[0] + '.0' @@ -93,9 +94,9 @@ ext { cluster.getNodes().forEach { node -> var creds = node.getCredentials() if (creds.isEmpty()) { - creds.add(Map.of('username', 'admin', 'password', 'myStrongPassword123!')) + creds.add(Map.of('username', 'admin', 'password', System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD"))) } else { - creds.get(0).putAll(Map.of('username', 'admin', 'password', 'myStrongPassword123!')) + creds.get(0).putAll(Map.of('username', 'admin', 'password', System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD"))) } } @@ -341,7 +342,7 @@ integTest { // If security is enabled, set is_https/user/password defaults is_https = is_https == null ? "true" : is_https user = user == null ? "admin" : user - password = password == null ? "myStrongPassword123!" : password + password = password == null ? System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD") : password } systemProperty("https", is_https) From 2d39a50da10ab4d51b96f060da480954b819b519 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Wed, 24 Jan 2024 16:32:10 -0800 Subject: [PATCH 4/6] Revert build.gradle changes Signed-off-by: Ryan Bogan --- build.gradle | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 6a3a31ad6..f8831398f 100644 --- a/build.gradle +++ b/build.gradle @@ -17,7 +17,6 @@ buildscript { version_qualifier = System.getProperty("build.version_qualifier", "") opensearch_group = "org.opensearch" isSnapshot = "true" == System.getProperty("build.snapshot", "true") - System.setProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD", "myStrongPassword123!") version_tokens = opensearch_version.tokenize('-') opensearch_build = version_tokens[0] + '.0' @@ -94,9 +93,9 @@ ext { cluster.getNodes().forEach { node -> var creds = node.getCredentials() if (creds.isEmpty()) { - creds.add(Map.of('username', 'admin', 'password', System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD"))) + creds.add(Map.of('username', 'admin', 'password', 'admin')) } else { - creds.get(0).putAll(Map.of('username', 'admin', 'password', System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD"))) + creds.get(0).putAll(Map.of('username', 'admin', 'password', 'admin')) } } @@ -342,7 +341,7 @@ integTest { // If security is enabled, set is_https/user/password defaults is_https = is_https == null ? "true" : is_https user = user == null ? "admin" : user - password = password == null ? System.getProperty("OPENSEARCH_INITIAL_ADMIN_PASSWORD") : password + password = password == null ? "admin" : password } systemProperty("https", is_https) From 02958d3edf5184cae2b07d36cb7ebce184e6bac0 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Wed, 24 Jan 2024 17:16:10 -0800 Subject: [PATCH 5/6] Update developer guide Signed-off-by: Ryan Bogan --- DEVELOPER_GUIDE.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index cdb316d9c..f55fb5eaf 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -277,6 +277,28 @@ Additionally, it is also possible to run a cluster with security enabled: ./gradlew run -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123! ``` +Then, to access the cluster, we can run +```bash +curl https://localhost:9200 --insecure -u admin:myStrongPassword123! + +{ + "name" : "integTest-0", + "cluster_name" : "integTest", + "cluster_uuid" : "kLsNk4JDTMyp1yQRqog-3g", + "version" : { + "distribution" : "opensearch", + "number" : "3.0.0-SNAPSHOT", + "build_type" : "tar", + "build_hash" : "9d85e566894ef53e5f2093618b3d455e4d0a04ce", + "build_date" : "2023-10-30T18:34:06.996519Z", + "build_snapshot" : true, + "lucene_version" : "9.8.0", + "minimum_wire_compatibility_version" : "2.12.0", + "minimum_index_compatibility_version" : "2.0.0" + }, + "tagline" : "The OpenSearch Project: https://opensearch.org/" +} + ### Run Multi-node Cluster Locally It can be useful to test and debug on a multi-node cluster. In order to launch a 3 node cluster with the KNN plugin installed, run the following command: From 76de267629d032bcf8ed3680a2690f0b2458ece6 Mon Sep 17 00:00:00 2001 From: Ryan Bogan Date: Thu, 25 Jan 2024 09:12:44 -0800 Subject: [PATCH 6/6] Remove default password in favor of Signed-off-by: Ryan Bogan --- DEVELOPER_GUIDE.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index f55fb5eaf..964aeea6b 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -274,12 +274,12 @@ curl localhost:9200 Additionally, it is also possible to run a cluster with security enabled: ```shell script -./gradlew run -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123! +./gradlew run -Dsecurity.enabled=true -Dhttps=true -Duser=admin -Dpassword= ``` Then, to access the cluster, we can run ```bash -curl https://localhost:9200 --insecure -u admin:myStrongPassword123! +curl https://localhost:9200 --insecure -u admin: { "name" : "integTest-0", @@ -327,7 +327,7 @@ Integration tests can be run with remote cluster. For that run the following com In case remote cluster is secured it's possible to pass username and password with the following command: ``` -./gradlew :integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="integTest-0" -Dhttps=true -Duser=admin -Dpassword=myStrongPassword123! +./gradlew :integTestRemote -Dtests.rest.cluster=localhost:9200 -Dtests.cluster=localhost:9200 -Dtests.clustername="integTest-0" -Dhttps=true -Duser=admin -Dpassword= ``` ### Debugging